Risk & Reward

I'm a risk enthusiast who likes to discuss techniques, tools and models—and use risk as a practical means to make better decisions in project environments. Join me on the ride!

About this Blog


Recent Posts

(mis)Understanding Contingency

Monty Hall for Projects: To Switch or Not to Switch?

10 Wishes for your Project Risk Management adventures in 2019!

The Curse of the Moving Mountain

A Template for Setting Up Your Qualitative Risk Analyses

10 Wishes for your Project Risk Management adventures in 2019!

Hello, and happy new year, everybody! It’s time for new beginnings and, of course, wishes! I made a list for 2019, with what I wish for you this year, regarding project risk management:

  1. Communicate through risk: It is a great way to bridge gaps in communication and to expose points where people do not see eye to eye. To really understand a project in a glance, look at the project charter, the WBS and the risk register. It goes a long way and tell you a lot!
  2. Stablish a common ground: Adding on to the first item on the list, risk analysis can be used to bring people with different, sometimes even opposite views, although interested in the success of the project, to the same page. If you have something you want to discuss but you don’t know how to address, the risk register may help you.
  3. Question the deterministic: It is a nice idea to come back from the results of your analyses and change the plan. How feasible is it? It should be the P50, or the average, or some other value depending on your appetite for risk.
  4. Understand the challenges ahead: What are the roadblocks on your path? Are there any ladders or only snakes on the path? What is urgent? What is important? Use your register to respond, be proactive!
  5. Plan in advance: Don’t wait until the last minute to plan your responses. Do it as soon as possible, get people involved, make sure the risk drum beats strong so everybody can hear.
  6. Take action, make a move, get going: Do a workshop, make communication plans inside, get people interested on the results! The success of the project will keep everyone in the company employed for more time, or enhance their perceived skills by having participated in a successful project!
  7. Learning device: Incorporate risks in your project records. Make sure people will learn to plan better tomorrow based on what you are experiencing today!
  8. In plain sight: Exchange information, talk, have meetings, don’t be afraid to let the elephant inside the room. It is way better than hiding it until it is bigger than the room you are keeping him in.
  9. Risk and change, hand in hand: Change management can be directed by risks, as well as what the market point in your direction. Make sure you are monitoring progress and updating as frequently as possible, and make all these points connect.
  10. Expect the unexpected: No matter how good you are at mapping risks, something will stay out. You cannot be all that good and remember everything. But you can (you must!) keep track of issues and deviations along the way and make sure they happen only once for you. As they say, fool me once…

I hope you had an amazing year in 2018 and I look forward to having an even richer experience in 2019! I’ve learned a lot, and that is one of the great things of being alive and sharing this sense of community with all of you. Thank you all so much! Have a wonderful 2019!

Posted on: January 02, 2019 09:21 AM | Permalink | Comments (11)

The Curse of the Moving Mountain

When we undertake risk analyses, we are subject to our curses and nightmares. I would like to highlight one of them: the moving steep mountain! In general, our projects (at least the ones I’ve been working on) have some characteristics:

  • They are challenging on cost and schedule (and that’s okay!)
  • They are planned backwards, starting with the end date (and that’s okay, too!)
  • They don’t fit the time available from start to finish (Not okay!)
  • In general, you only find the previous bullet out when you are already working on the project (Not okay!)
  • Considering all the previous bullets, you have an unfeasible schedule (Sorry about that!)
  • Upper management is not willing to delay or add cost (Not okay, again!)

In the light of everything I listed, what do you (usually) do? You compress the schedule! You start doing crashing and fast tracking like crazy. And if you do a schedule risk analysis, you’ll see that the probability of meeting the dates tend to be very low.

In addition, you are a victim (by your own doing!) of the merge bias! This was detailed by Mr. Hulett in his book “Practical Schedule Risks Analysis” (Gower, 2009). It happens when you have a lot of parallel paths that meet in a given task of your schedule.

Suppose you have three tasks that take 5 days each in series and you “fast track” them into three tasks (of six days each) in parallel. Suppose uncertainty is a triangular distribution with the lower point at 70% of the base value and the upper point at 150% of the same value. The most likely value is the base value. When you simulate both cases, you end up with something like this:

This simulation was done using @RISK. We can see that the probability of having a value lower than the planned one is over 25 percent for the original (series) project, whereas the “fast tracked” one (parallel) has a little over 5 percent for the same situation. The parallel paths hold a larger chance of failure, and the waterfall can accommodate a larger task with a shorter one in sequence.

When we don’t consider the risk events in the simulation and we use small ranges on the variation of tasks, we end up with a very unlikely and steep distribution. That’s when the unfeasible schedule takes its toll: when the inevitable reality happens, the risks start occurring and the milestones are missed, and our planning becomes impossible.

But never fear! The management has a solution for that as well! You shift the schedule and move the mountain a little to the right. And that small probability still remains, but it is less and less credible. Eventually the project will be completed, but what is risk management doing to bring value to the table? And the answer is… NOTHING!

It would be much better to have a wide distribution considering events and broader dispersions, which we could slice into different regions and analyze for determinant factors. See below the comparison between the “moving mountains” and the “big hill”.


Let us go for the big hill, then! Let us embed the events in our analyses. Let us shed some light and free ourselves from the curse of the moving mountain and the habits that make management look like zombies.

PS: This post was inspired, of course, by Halloween but, ironically enough, came to life a bit too late! Thank you for reading! Looking forward for your feedback!

Posted on: November 05, 2018 12:37 PM | Permalink | Comments (6)

Preparing for a Schedule Risk Analysis

Recently I posted a poll right here in projectmanagement.com (here) concerning how you prepare a schedule to undertake a schedule risks analysis.

My idea was to understand how you out there see the question of getting a schedule ready for the simulation exercise. I gave you five possible answers:

  • No preparation needed, I just use my regular schedule as is (20 votes)
  • I try to reduce the number of tasks (9 votes)
  • I check the logic links and make sure all tasks are connected (61 votes)
  • I reduce tasks AND check the links (24 votes)
  • I refer to classic audit schemes, like the 14-point assessment (25 votes)

 My answer was number four, “I reduce tasks AND check the links. 17% of the respondents (139 in total) were with me on this. Now let me explain why.

In my case, I usually start with the schedule we use to monitor the progress. It tends to be quite detailed, and have a lot of information that we use to control progress, like issuing reports, preparing for meetings, doing governance, etc. All this tasks go away. Some procurement packages, for instance, have fourty steps and others have ten. I try to harmonize this, so the tasks have some similarity. This reduces a lot of work.

And of course I check the links between tasks, which is a simulation killer, one of the favorite GIGO drivers and a strong sponsor to terrible decision making. With this done, I move on to doing stress analysis and other tests to see which tasks are worthy to model with a distribution. Going further forward, I start consulting experts and doing data crunching to know how exactly I am going to model that. At last, but not surely least, I add events and their mitigation. You can check my series of articles on Qualitative and Quantitative Risk Analyses Integration, starting with this one.

Moving back to our poll, I always thought my answer would win by a landslide, but I understand all the other answers and I will develop a rationale for them, if you allow me:

  • No preparation needed, I just use my regular schedule as is (20 votes, or 14%) – Maybe you have a schedule which is already lean and you the tasks are really balanced. And it is already completely linked. I get that.
  • I try to reduce the number of tasks (9 votes, or 6%) – Reducing the number of tasks is coherent with some best practices in Schedule Risk Analysis. Hulett (2006) is one of the many who advise having a smaller schedule.
  • I check the logic links and make sure all tasks are connected (61 votes, or 44%) – This goes without saying. No logic links means you do not have a schedule. You are not ready to open the door. Go back and get that key!
  • I reduce tasks AND check the links (24 votes, or 17%) – My option, I already said something about it.
  • I refer to classic audit schemes, like the 14-point assessment (25 votes, or 18%) – it is quite interesting to use some methods like the 14-point assessment, which relies on things like logic links, very long or very small tasks, a balance between types of tasks on the schedule and some others. The reason I did not check this one is that I never found one of those schemes who served me completely, without the need for correction. But I completely understand who opted for this, especially if they are under a PMO environment, and things must adhere to a standardized process.

Anyway, thank you for responding to my poll, thank you for reading, and please post comments whether you agree or not with what I said. See you all next time!

Posted on: September 18, 2018 03:19 PM | Permalink | Comments (8)

The GIGO factor

Hello again! Today I am covering what I think is a top five threat in a Schedule Risk Analysis or any simulation / numerical exercise: the destructive power of GIGO. It can send the whole team in a wild goose chase, or calm things down when your foot is halfway into the abyss.

 For those of you who do not know or cannot remember, GIGO stands for Garbage-In-Garbage-Out. Computer models, especially those who rely heavily on assumptions and constraints to run, such as our simulation models, are prone to suffer from that factor. The term dates back to 1957, as far as we can trust Wikipedia for that, with a citation of a weapons specialist saying, “‘sloppily programmed’ inputs inevitably lead to incorrect outputs”. We can observe two main GIGO possibilities when we are simulating our schedules.

 The first one relates to the model itself. That is, if you have a schedule which is faulty, incomplete and lacking the proper detail, no good can come of doing anything but... fixing it! This may be a structural problem and require a review of the WBS and even that very dangerous but necessary question: “What is really the purpose of this Project?” There are tools for detecting a bad schedule, but no straightforward tool for detecting a bad scope. I can easily detect tasks without successors or with hard date constraints, but I cannot, without a real understanding of the Project, state that the scope is ill detailed or the breakdown does not really make sense. It can be a tricky thing.

 The second GIGO factor is the modeling of the simulation itself. Some people are mesmerized by the mere presence of a histogram or a tornado chart. They go: “Wow, so there is a 10 percent chance that we will meet the promised date. I’d better find another job”, or “No way in hell this is right, the modeling is all crooked”. This is why, in my opinion, we must not show any simulation results until the modeling is complete. Until we discussed the distributions, their upper and lower values or other ways to describe them and the risks events, we must hold our instinct to show those beautiful features of the Monte Carlo simulation. What can be worse than having a black box model that shoots numbers left and right? I will tell you: it is having a guided simulation, that is, someone saying, “The modeling doesn’t matter, but the figures for P10, P50 and P90 should be this and this and that”. This is the worst GIGO ever: a confirmation of what is expected just because it is... well, expected!

 Maybe we can model things wrongly just because we lack the training or we are just doing it wrong. That is an honest mistake. However, we must be careful using a tool that powerful, especially when we are in a company with low maturity regarding risk.

I am including a small GIGO-avoiding checklist; feel free to add more items!

  1. Check the schedule before you do anything else;
  2. Have all assumptions and constraints formalized;
  3. Have some quick documentation on the distributions you are using and why, who gave that input, etc.;
  4. Do the same for the events you are modeling;
  5. Make sure whoever models and/or runs the simulation has experience with the software and the technique;
  6. Make sure someone else does a check on the simulation, specially looking for errors and strange results;
  7. Look into the Tornado chart and make sure these correlations, regressions or whatever index you use make sense;
  8. If you are using critical index, evaluate the connection between the values and the ones you observed on step 7;
  9. Prepare a “risk story” for this project: if you were to present it to someone, how would you go about it? Does it make sense for you?
  10. Double-check and validate with external sources, if possible, to avoid the unavoidable biases.

I hope those ten steps help reduce the GIGO issue. Do you have any more tips? Let me know! Thanks for reading!

Posted on: August 22, 2018 04:11 PM | Permalink | Comments (12)

Reward and Risk - why not?

Is that expression common for you? Have you ever heard it like that? I have not and I guess you haven't either. Risk is seen as a negative matter, as a downside, as a hurdle, as a problem to be dealt with. Let us look this question a little closer on this post.

We are constantly warned of the risks in the world. It is something to be careful about. It is something to fear, to work around, to avoid.

Whenever I participate in a risk workshop, somebody says "please, don't forget the opportunities!" In fact, PMBoK states that "project risk management aims to exploit or enhance positive risks (opportunities) while avoiding or mitigating negative risks (threats). A critical success factor for the "Identify Risks" process is the "explicit identification of opportunities" also stating that "the identify risks process should ensure opportunities are properly considered". This is in the Practice Standard for Risk Management, page 38. Nobody needs to tell us to "explicitly identify threats". It is engraved deep into our minds...

Therefore, we need to take a chance, go forward and, well, live a little! I go back to portfolio optimization concepts, when we stablish the efficient frontier for a set of investments, combining risk and return. Of course we should take risks with caution and we should assume risks only should they provide further return for us. The admittance of risk brings return as I said before.

So why can't we see the bright side of life when we are identifying risks? I got one wild guess here.

Could it be possible that we enhance our business case so much when we are trying to get the green light from the board that we already start planning a semi-impossible project and already absorbed the opportunities in the base case? Or are we under so much pressure that we do not allow for things to be even slightly better? It is something to be considered.

Whenever possible, we try to monetize things and bring the decision to a single indicator, the Net Present Value of the Cash Flows, the Internal Rate of Return or another one, but we should always consider the other dimensions. Safety, Social Implications, Governance, Health, Environment, and such.

What I take from my quantitative risk analyses in the last decade or so is that when we consider the risk events, uncertainties, imprecisions and such, we end up so far from the baseline and the agreed upon plan, it is almost a lost battle before it begins! Distributions are always skewed to the downside, reflecting the tendency for things to cost more, to take more time, to use more resources, etc.

Preparing a more feasible business case and have It thoroughly analyzed by a third party with no links to the project area seems like a good idea, but is it actually done by most companies, or people? Or we are just “hoping for the best but expecting the worst”, as Alphaville would say?

No matter what, we should always try to have a realistic point of view of our project, and adjust our plan to match the risky side of life. There is nothing wrong with having a challenging date, but not an impossible one. And make some room for opportunities, for Pete’s sake!

What do you think? Join the discussion! Leave your comment below and I’ll reply. Thank you for reading!

Posted on: August 08, 2018 09:38 AM | Permalink | Comments (7)

"A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools."

- Douglas Adams